CIS Logo
tagline: Confidence in the Connected World

CIS RAM (Risk Assessment Method) FAQ – Part 1

CIS released CIS RAM (Center for Internet Security Risk Assessment Method) in April 2018. Developed by HALOCK Security Labs in partnership with CIS, CIS RAM is an information security risk assessment method that helps organizations implement and assess their security posture against the CIS Controls cybersecurity best practices.

Hundreds of people attended our launch event and had a lot of great questions about CIS RAM. Read on to learn some of the answers to common questions.

Why a new risk assessment method?

CIS RAM includes business in cyber risk analysis by translating security risk into business terms for executive involvement.

The method prepares organizations for regulatory compliance. CIS RAM demonstrates “reasonable,” “appropriate,” and “acceptable” implementation of the CIS Controls.

This new method of risk assessment helps organizations prepare for litigation. CIS RAM analysis is similar to judicial “multi-factor balancing tests” that determine “due care.”

What are the goals for CIS RAM?

The creators of CIS RAM had several goals in mind when developing this new risk assessment method:

  • Provide practical, step-by-step instructions for conducting a risk assessment. Instructions, templates, and examples are provided with the free download.
  • Help determine whether an implementation of the CIS Controls is reasonable for a particular organization – even if the implementation is not exactly as written.
  • Align well with existing risk assessment methods including ISO 27005, NIST SP 800-30, and RISK IT.

What is the foundation to CIS RAM?

The CIS Controls were used as the foundation to CIS RAM. The CIS Controls address common threats as identified by a community of practitioners. They are simply stated, clear, practical, and explicit.

CIS RAM uses each CIS Control to consider how threats may be detected or prevented. It can be used to evaluate current or planned deployments.

How can I balance cybersecurity with practical business requirements?

CIS RAM is about balancing the benefits and burdens of cybersecurity safeguards.

CIS RAM safeguards


How can I get involved?

Arrow  Join the CIS Controls community on CIS WorkBench
  • Follow the steps to register if you don’t already have an account
  • After account validation by CIS, you will receive a welcome email
    • Join a community
    • Search for the CIS Controls community by typing in the search bar